security

Typically, when we think of hacks, our minds conjure images of compromised security systems, personal computers or server farms, but printers? According to Neil Smith, a researcher from the US Computer Emergency Readiness Team, unauthorized access to those devices could be a very real threat — if you happen to own a Samsung model. Discovered and submitted to the agency this past Monday, the exploit unearthed by Smith takes advantage of an “SNMP backdoor” : an internet protocol that allows for remote network administrative control without authentication. The vulnerability — which would give hackers access to data sent to the printer, as well as control over it (think: ceaseless printing!) — affects most units released before November of this year. For its part, Samsung’s promised a patch will be forthcoming. But, in the meantime, if you want to avoid exposing any personal data or the possibility of a seemingly possessed printer, it’s best you steer clear of rogue WiFi connections.

Historically, the single biggest problem Apple faced in the PC market is that most consumers never even considered buying an Apple computer. If this number of potential switchers is even close to true, Mac and iPad sales are going to continue to grow.

Most people are happy to give their neighbours a spare house key in case of emergencies, but you probably wouldn’t want to give them your digital passwords. Now security researchers have shown that you may not have a choice, at least when it comes to cloud computing.

Cloud servers let users run simulations of an ordinary computer, called virtual machines (VMs), on remote hardware. A VM performs exactly as an ordinary computer would, but because it is entirely software-based, many of them can run on a single hardware base. Yinqian Zhang of the University of North Carolina, Chapel Hill, and colleagues have discovered that it is possible for one VM to steal cryptographic keys – used to keep your data secure – from another running on the same physical hardware, potentially putting cloud-computing users at risk.

The attack exploits the fact that both VMs share the same hardware cache, a memory component that stores data for use by the computer’s processor. The attacking VM fills the cache in such a way that the target VM, which is processing a cryptographic key, is likely to overwrite some of the attacker’s data. By looking at which parts of the cache are changed, the attacking VM can learn something about the key in use.

Zhang and team did not test the attack in the cloud for real, but used hardware similar to that employed by Amazon’s cloud service to try stealing a decryption key. They were able to reconstruct a 4096-bit key in just a few hours, as reported in a paper presented at the Computer and Communications Security conference in Raleigh, North Carolina, last month.

This attack won’t apply in all situations, as an attacker would have to establish a VM on the same hardware as yours, which isn’t always possible. What’s more, an attack would not work on hardware running more than two VMs. Still, those looking to use cloud services for high-security applications may want to reconsider.

You can have your black card and your credit card carved out of adamantium (just kidding, I would really like that), the only credit card I want is MasterCard’s Display Card. MasterCard has been testing the card that comes with a LCD and touchscreen keypad, for some time and has now introduced it in Singapore. They say the added tech is for security: users can generate a one-time password as an authentication security measure.

Here’s MasterCard:

At present, banking institutions that necessitate a higher level of security for their online banking services require the use of a separate authentication token or device. The innovative 2-in-1 device, which combines the functionality of a standard payment card with a state-of-the-art security token, currently reflects the customer’s OTP. In future, this card could incorporate additional functionalities and be able to indicate other real time information such as available credit balance, loyalty or reward points, recent transactions, and other interactive information.

I’m in the camp of throwing a LCD screen and touchscreen keypad on as much things as you can. I don’t even really care about the security function, I just like staring at screens. [Mastercard via CNET]

Mastercard is already a big fish in the still tiny NFC contactless payment pond, and now it wants to take that same technology to a veritable ocean — internet sales. The plastic purveyor is tag-teaming with ING in the Netherlands for PayPass-based smartphone internet payments that would have a “comparable level of security” to bricks and mortar purchases — by transmitting an EMV-compliant cryptogram or QR code to merchants. That would theoretically make online shopping less risky, and the system would also allow coupons and vouchers to be applied, giving a “similar user experience in both the physical and digital world.” The Dutch trial has already started and will continue until early 2013, but there’s no word if new users can still jump in — check the PR after the break to read the tea leaves for yourself.

Mastercard is already a big fish in the still tiny NFC contactless payment pond, and now it wants to take that same technology to a veritable ocean — internet sales. The plastic purveyor is tag-teaming with ING in the Netherlands for PayPass-based smartphone internet payments that would have a “comparable level of security” to bricks and mortar purchases — by transmitting an EMV-compliant cryptogram or QR code to merchants. That would theoretically make online shopping less risky, and the system would also allow coupons and vouchers to be applied, giving a “similar user experience in both the physical and digital world.” The Dutch trial has already started and will continue until early 2013, but there’s no word if new users can still jump in — check the PR after the break to read the tea leaves for yourself.

Bogomil Shopov, a Bulgarian blogger and digital rights activist, bought 1.1 million Facebook names, user IDs and e-mails for the ridiculously low price of 5 dollars. Yes, for a price of a Subway footlong, Shopov was able to get his hands on your personal data from Facebook. What a deal!

Luckily, Shopov isn’t out to spam people or anything. Instead, he wants to use this as an example of how terribly lax Facebook can be with its security. How did those names and e-mail addresses become available in the first place? Facebook apps. Forbes says:

According to the seller of the information, a Gigbucks user with the handle “mertem,” the data was collected from Facebook applications.”The information in this list has been collected through our Facebook apps and consists only of active Facebook users, mostly from the US, Canada, UK and Europe,” reads the Gigbucks post. “Whether you are offering a Facebook, Twitter, social media related or otherwise a general product or service, this list has a great potential for you.”

The personal data of Facebook users isn’t just from people who keep their profile public, Shopov said he found e-mail addresses that were private and hidden too. Facebook is currently looking into the breach of user data but they haven’t yet come to a resolution. We are at their mercy. [Forbes]

At last count, Google had over 26 million Postini users, many of them at enterprises. They use this cloud service to filter e-mail for viruses and spam. Postini currently works with Microsoft Exchange and Lotus Notes, so Gmail isn’t required.

Starting this fall, Google will be telling customers that they have to switch.

Apps is Google’s cloud office suite that includes email, calendars and documents. Google has integrated Postini’s security features into Apps. Google promises that Postini customers who sign on for Apps will still be able to use it with Exchange and Lotus Notes. Naturally, they’ll also get Gmail thrown into the mix.

The first set of customers that will be asked to switch are those renewal dates of November 1, 2012. Customers with renewal dates between mid-August and October 31, 2012 will get a chance to keep the service a little while longer, until Google makes the full transition sometime in 2013. Google hasn’t announced exactly when that will happen.

We have seen hundreds of fans crash major sporting events. But this might be the first time that a fan jumped in front of the cameras during a trophy presentation and started making sounds like a bird call before being ushered away by security.

Here is the video (via NBC Sports) and the subsequent zingers from both US Open champion Webb Simpson and Bob Costas…

Digital Consigliere

Dr. Augustine Fou is Digital Consigliere to marketing executives, advising them on digital strategy and Unified Marketing(tm). Dr Fou has over 17 years of in-the-trenches, hands-on experience, which enables him to provide objective, in-depth assessments of their current marketing programs and recommendations for improving business impact and ROI using digital insights.